I have stumbled upon this little tech dilemma yesterday, and know that there is a solution to it (IRC BNC resellers have it implemented already). However, the exact details and implementation elude me, and this is what I'd like to find out.

I have a server running nginx to proxy a whole load of web services for a whole load of virtual hosts, all of them dynamically generated. I have a complete list of what each vhost should have in terms of ports, and more importantly, what they shouldn't have. A typical example:

Host 1:

port 9000: PHP-FPM

port 9001: Node

Host 2:

Port 9002: PHP-FPM

port 9003: Node

port 9004: IIS (remote forward)

Each server/forward is done as the user, and I know ahead of time which port is given to which user. My question is therefore pretty straightforward: is there a way to deny a user bind/listen rights on a port based on its UID? The reason I want to do this is to prevent Host 1 from subverting Host 2's ports or vice versa.